Thankyou, Amu for helping me.  According to the sh run output ftp inspect is on.

Result of the command: "sh run"

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password qvxoIOSQ42Tst4.8 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.2.10 FTPServer description FTPServer

!

interface Vlan1

no forward interface Vlan3

nameif inside

security-level 100

ip address 200.0.0.206 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address ##.##.##.## 255.255.255.252

ospf cost 10

!

interface Vlan3

nameif DMZ

security-level 5

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server ##.##.##.##

name-server ##.##.##.##

domain-name default.domain.invalid

dns server-group ####

name-server ##.##.##.##

name-server ##.##.##.##

same-security-traffic permit inter-interface

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo

icmp-object echo-reply

icmp-object time-exceeded

icmp-object unreachable

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

access-list inside_access_in remark ip out

access-list inside_access_in extended permit ip any any log disable

access-list inside_access_in remark http out

access-list inside_access_in extended permit tcp any any eq www log disable

access-list inside_access_in remark out to https

access-list inside_access_in extended permit tcp any any eq https log disable

access-list inside_access_in remark ping out

access-list inside_access_in extended permit icmp any any log disable

access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1

access-list outside_access_in extended permit tcp any host FTPServer object-group DM_INLINE_TCP_1

access-list DMZ_access_in remark http out

access-list DMZ_access_in extended permit tcp any any eq www log disable

access-list DMZ_access_in remark ip out

access-list DMZ_access_in extended permit ip any any log disable

access-list DMZ_access_in remark ping out

access-list DMZ_access_in extended permit icmp any any log disable

access-list DMZ_access_in remark out to https

access-list DMZ_access_in extended permit tcp any any eq https log disable

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 192.168.2.0 255.255.255.0

static (DMZ,outside) tcp interface ftp FTPServer ftp netmask 255.255.255.255

static (outside,DMZ) tcp FTPServer ftp 0.0.0.0 ftp netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 ##.##.##.##1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 200.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password jbNBXUKHa1JUjwuD encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect ftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:f1ba46587fbf7c5c2e8c587b807f1227

: end

Hi Carlos,

I am not sure why you have this configuration:

static (outside,DMZ) tcp FTPServer ftp 0.0.0.0 ftp netmask 255.255.255.255

But  you don't need this nat, so you can get rid of it and try again.

Thanks,

Varun

Thanks Varun, that entry is history!  Still now joy after testing again though.

Hi Carlos,

Could you try removing "inspect ftp" and test?

Let me know.

Regards,

Anu

Carlos,

What type of ftp are you setting up???, is it active or passive??

Active FTP:  client connects to server on port 21.  Server uses port  20 to transfer data back to client.

Passive  FTP:  client connects to server on port 21.  Server tells the client a  port > 1024 to use for the data transfer.  Client then makes a 2nd  connection from its >1024 ports to the server > 1024 ports.  In  this scenario, the client does all the work, server does nothing. 

There would be different config for both.

-Varun

Thank you both...

Anu,

I have removed FTP inspect (relevent [sh run] output below) and tested again, no joy.

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

Varun,

I am using Filezilla Server here, and the passive modes are set to default.  I'm under the impression that PASV is the way forwards but am open to suggestions of course.

Thanks again

Anu

Quick update- removing inspect ftp trashed our usual batch file ftp communications, so this has been re-enabled and they work again.